Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp595583img;
        Fri, 22 Mar 2019 04:49:14 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyRXP7KD97geEtoXCaHOlnNIQXSg7uCk1dypfolAYxWbtKpLOR3R5CT8N86W7jDFFuU0lqq
X-Received: by 2002:a62:342:: with SMTP id 63mr8759282pfd.80.1553255354411;
        Fri, 22 Mar 2019 04:49:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1553255354; cv=none;
        d=google.com; s=arc-20160816;
        b=mQwLGUZ3abuZdHaGulwPwqs3uXut50vJupGpMzc4xbfMBi9+moC4vuJzaPucndnlR8
         FQiNP3egWcmKnwrFf/NECTP3s5/fXywc9qSWrwKhc4TGnbo7I534hN3TetVJ9KNcYYEW
         zPS2IX9oMCKVhXGkQeG7gGHCE6nn3ka5HLQVThfM+rRkt9bAyBYBTnAJi9em+hRn9Hyz
         kxHEVHOlBYZD5xieprHHbFpfgIZu8rxzQMcfIDKtv8I6+9Zlu5az3s/TplyuYbd6Hw+W
         thKl5JIK/eXstrl/uLOmlZLbtQvLffzblaFn+V1aKO60RdMBav3l7Xp+G5CbFEwaxN2T
         XUxg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iMj7uaXO/B6IM7QQND41klnYqNrfWHm73N8h9rX18S4=;
        b=aGb4MENIgPb83hvk1mGAT1MlCnvviu87tfPCA+lwaZp5BKZBQ+k3srriOLQq/fOqPv
         CaUeW+GMHO0mSWaDjlKxpd6r3BqWFDGbCYojompYYpyVyYNf14tgNWVjI57DJg8/ykcL
         nkKoP/HzVpVEYM94Zq5MV5gPNbi3zHy0wiUyxFBT4LAaOi1x8IQw48R7BtuW1kodVQIw
         oiYO+Zfmbf0KBUHbHUDpjvFoY/FJDoV+A8omem1Qd8DLraP0Vr4GkU7NRtzph8PuQ86E
         eMEKo64aRQ9uPgAWC4cQ/MXuPfew/ukwqDsGltQ83KJ3lAVYGAPnXQOMLKudu7FZbYxp
         Qiaw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="OvK/uqa6";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f17si6324591pgm.210.2019.03.22.04.48.56;
        Fri, 22 Mar 2019 04:49:14 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b="OvK/uqa6";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1732263AbfCVLsG (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Fri, 22 Mar 2019 07:48:06 -0400
Received: from mail.kernel.org ([198.145.29.99]:51364 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1731322AbfCVLsD (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Mar 2019 07:48:03 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 926B52075E;
        Fri, 22 Mar 2019 11:48:02 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1553255283;
        bh=Cc8Jg0yI+r2GN1CAE4J/9sqpUUjxn43Lnogz77g8Ie4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=OvK/uqa6zz+aObNMcQFAWjq7bO63Umaot0VfzLsdI7de9/GkNAbRaNrU3b/MU471V
         CzdNWJOWH+rGYztH7Eb6zDzTAciGV7WfK4aY8FhCiqac5Ddrsc1yuUUqWwjRYdq6kX
         iYLy+JS5SfYnXNfPowCDRLiPbdN6nNXyjfRKj+Oo=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org,
        Paul Kocialkowski <paul.kocialkowski@bootlin.com>,
        Stefan Wahren <stefan.wahren@i2se.com>,
        Wolfram Sang <wsa@the-dreams.de>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 034/183] i2c: bcm2835: Clear current buffer pointers and counts after a transfer
Date:   Fri, 22 Mar 2019 12:14:22 +0100
Message-Id: <20190322111244.193677852@linuxfoundation.org>
X-Mailer: git-send-email 2.21.0
In-Reply-To: <20190322111241.819468003@linuxfoundation.org>
References: <20190322111241.819468003@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
X-Patchwork-Hint: ignore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

[ Upstream commit f275a4659484716259cc46268d9043424e51cf0f ]

The driver's interrupt handler checks whether a message is currently
being handled with the curr_msg pointer. When it is NULL, the interrupt
is considered to be unexpected. Similarly, the i2c_start_transfer
routine checks for the remaining number of messages to handle in
num_msgs.

However, these values are never cleared and always keep the message and
number relevant to the latest transfer (which might be done already and
the underlying message memory might have been freed).

When an unexpected interrupt hits with the DONE bit set, the isr will
then try to access the flags field of the curr_msg structure, leading
to a fatal page fault.

The msg_buf and msg_buf_remaining fields are also never cleared at the
end of the transfer, which can lead to similar pitfalls.

Fix these issues by introducing a cleanup function and always calling
it after a transfer is finished.

Fixes: e2474541032d ("i2c: bcm2835: Fix hang for writing messages larger than 16 bytes")
Signed-off-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Acked-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/i2c/busses/i2c-bcm2835.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/drivers/i2c/busses/i2c-bcm2835.c b/drivers/i2c/busses/i2c-bcm2835.c
index 44deae78913e..4d19254f78c8 100644
--- a/drivers/i2c/busses/i2c-bcm2835.c
+++ b/drivers/i2c/busses/i2c-bcm2835.c
@@ -191,6 +191,15 @@ static void bcm2835_i2c_start_transfer(struct bcm2835_i2c_dev *i2c_dev)
 	bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C, c);
 }
 
+static void bcm2835_i2c_finish_transfer(struct bcm2835_i2c_dev *i2c_dev)
+{
+	i2c_dev->curr_msg = NULL;
+	i2c_dev->num_msgs = 0;
+
+	i2c_dev->msg_buf = NULL;
+	i2c_dev->msg_buf_remaining = 0;
+}
+
 /*
  * Note about I2C_C_CLEAR on error:
  * The I2C_C_CLEAR on errors will take some time to resolve -- if you were in
@@ -291,6 +300,9 @@ static int bcm2835_i2c_xfer(struct i2c_adapter *adap, struct i2c_msg msgs[],
 
 	time_left = wait_for_completion_timeout(&i2c_dev->completion,
 						adap->timeout);
+
+	bcm2835_i2c_finish_transfer(i2c_dev);
+
 	if (!time_left) {
 		bcm2835_i2c_writel(i2c_dev, BCM2835_I2C_C,
 				   BCM2835_I2C_C_CLEAR);
-- 
2.19.1